On Sun, Aug 03, 2014 at 10:08:03AM +0200, Daniel Gollub wrote: > > This proposed patch is not changing the existing sssd/pam_sss behavior > if a domain in login is required or not. If the sssd > option "use_fully_qualified_names" is false (default) then both will > work. If set to true, the domain needs to be specified. > > If the PAM service is using domains=emea.example,hq.example.com and > someone tries to sneak in by authenticating with: > [email protected] ... this will not work. The sssd pam responder > code - with this patch applied - is intended to completely skip any > other domain which is not set by the domains= argument.
My concern is this -- if we are going to harden the list of domains that will be used for authentication (or identity operations), it would be good to find a way to also make it possible for the application using the PAM stack to find out which domain (and thus which identity) sssd actually used. So for "login", was it "[email protected]" or "[email protected]" that was used? Do we have a way to return the information to the application? -- Jan Pazdziora Principal Software Engineer, Identity Management Engineering, Red Hat _______________________________________________ sssd-devel mailing list [email protected] https://lists.fedorahosted.org/mailman/listinfo/sssd-devel
